cancel
Showing results for 
Search instead for 
Did you mean: 

RZ20 Display-only

former_member201910
Participant
0 Kudos

I added the trnaction RZ20 and assigned authority object S_RZL_ADM with activity 03 (Display only) to a role.
Even having only display authorization this user is allowed to change (delete,save,copy.etc) the method.
What did I miss to allow the it as display-only authorization?

Thank you.

Jhiosa

Matt_Fraser
Active Contributor
0 Kudos

Hi Maria,

Your question is mis-tagged, as this is about authorizations, not NetWeaver. So, I have moved it to "NW ABAP User Administration and Authorization." I notice you have another outstanding question which also seems to be more about security and authorizations, so I'm going to move that one as well (https://answers.sap.com/questions/126351/index.html).

Cheers,
Matt

Accepted Solutions (0)

Answers (4)

Answers (4)

mariacs
Explorer
0 Kudos

Hi Jhiosa,

You can set a trace (Transaction ST01) for your user to know which authorization objects allow to you to do it.

After that you can check in transaction SUIM what this is the role assigned to you that contains this authorization object.

Kind regards,

Maria

juliusbussche
Explorer
0 Kudos

Note that the S_RZL_ADM concept is slightly tricky: You can execute external OS programs with this authorization. When doing so from ABAP, the application executing the program must decide whether the external program is relatively harmless and does not change anything (ACTVT = '03') or whether it contains functions which are potentially critical or can start any external program (ACTVT = '01').

SM36 for example only checks '01', as outside of logical commands, it cannot know or control what the external program does. In contrast, if the application runs a specific external program and knows what is does and classes it as non-critical, then it should check '03'.

But those are the only two values available and non-critical does not necessarily mean display only.

So you are sometimes stuck between a rock and a hard place...

Best practice is to use S_LOG_COM or an auth object closer to the application within the application and then let the OS access (like the DB access) be authorization neutral.

Cheers,

Julius

former_member201910
Participant
0 Kudos

HI Fraser,

Thank you for responding the mis-tagged. I checked the other related authorization and that they are all in display access.

I was informed that I can implement the attached note 2382409 - Optimization of authority concept in RZ20 to be able to access RZ20 as Display-only role.

Matt_Fraser
Active Contributor
0 Kudos

Have you confirmed that the user isn't getting the extra authorizations from another role assignment?